Tuesday, October 15, 2024
HomeComputer SecurityHackers Hijacked 7,500+ MikroTik Routers and Redirecting User Traffic to Attackers

Hackers Hijacked 7,500+ MikroTik Routers and Redirecting User Traffic to Attackers

Published on

Malware protection

Cyber Criminals compromised around 7,500+ MikroTik Routers and maliciously enables the Socks4 proxy to redirect the legitimate user’s traffic to the malicious website controlled by attackers to perform web mining and other attacks.

At present, totally 239K IPs have confirmed to have Socks4 proxy enabled maliciously and the attacker continuously scanning the MikroTik RouterOS devices with the help of this compromised Socks4 proxy.

Previously Cybercriminals infected over 1,50,000 MikroTik Routers with Coinhive Cryptojacking Campaign using site key to ultimately mining the cryptocurrency.

- Advertisement - SIEM as a Service

MikroTik provides hardware and software for Internet connectivity around the world and they also created a RouterOS software.

With this campaign, one single malicious hacker involved in enabling the Socks4 proxy on the victim’s devices and the victim’s count keeps increasing since the attacker continuously working for it.

Earlier attacks on MikroTik routers such as CIA Vault7 hacking tool Chimay Red involves 2 exploits and also another malware has exploited the  MikroTik CVE-2018-14847 vulnerability to perform various malicious activities.

Based on the scan result, researchers identified more than 5,000K devices with open TCP/8291 port, and 1,200k of them were identified as Mikrotik devices, within which 370k (30.83%) are CVE-2018-14847 vulnerable, which means users have not updated the patch that released for CVE-2018-14847.

How Do MikroTik Routers attack Works

Once the attacker enables the Mikrotik RouterOS HTTP proxy by exploiting the vulnerability CVE-2018-14847, then the compromised devices HTTP proxy requests traffic redirect to a local HTTP 403 error page.

This error page contains a link for web mining code from coinhive where attackers perform web mining operation.

Another attack scenario represents that, an attacker enabled the Socks4 port or TCP/4153 on victims device and set the Socks4 proxy config only allows access from one single net-block 95.154.216.128/25.

The attacker using this technique in order to gain control even after users device reboot the device and all the 239K IPs only allow access from 95.154.216.128/25 but access should be from 95.154.216.167.

According to netlab,The MikroTik RouterOS device allows users to capture packets on the router and forward the captured network traffic to the specified Stream server.
At present, a total of 7.5k MikroTik RouterOS device IPs have been compromised by the attacker and their TZSP traffic is being forwarded to some collecting IP addresses.

Most of the compromised router’s traffic being redirected to 37.1.207.114 using Eavesdropping technique and attackers mainly interested in port 20, 21, 25, 110, and 143, corresponding to FTP-data, FTP, SMTP, POP3, and IMAP traffic.

Attackers mainly targeting Russia, Iran, India, Ukraine, and many more countries. So MikroTik users recommend updating the MikroTik RouterOS software system in a timely manner, and check whether the HTTP proxy, Socks4 proxy, and network traffic capture function are being maliciously exploited by attackers.

IoC

Attacker and collector IPs

37.1.207.114      AS50673 Serverius Holding B.V.
185.69.155.23     AS200000 Hosting Ukraine LTD
188.127.251.61    AS56694 Telecommunication Systems, LLC
5.9.183.69        AS24940 Hetzner Online GmbH
77.222.54.45      AS44112 SpaceWeb Ltd
[removed]         103.193.137.211   AS64073 Vetta Online Ltd
24.255.37.1       AS22773 Cox Communications Inc.
45.76.88.43       AS20473 Choopa, LLC
206.255.37.1      AS53508 Cablelynx
95.154.216.167    AS20860 iomart Cloud Services Limited.  
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Splunk Enterprise Vulnerabilities let Attackers Execute Remote Code

Splunk has disclosed multiple vulnerabilities affecting its Enterprise product, which could allow attackers to...